Tag Archives: ransomware

Premiums Climb as Ransomware Bites

Ransomware is on the rise and posing significant challenges for the insurance industry. Ransomware attacks soared by 485% last year compared with 2019, according to Bitdefender. Cybercriminals and state-sponsored hackers alike are employing ransomware to line their pockets and cause mayhem. The Colonial Pipeline, the Harris Federation, CNA Financial and Acer are just a few of the high-profile victims so far this year. 

Without proper planning and protection, a ransomware attack can sink a company. The average ransom cost is now $154,108, according to Coveware, and the average downtime caused is 21 days. 

As more and more victims pay up, cybersecurity insurance carriers are changing their products, increasing premiums, and limiting coverage. 

Attackers Targeting Insurance Providers

While cybersecurity policies covering ransomware used to be relatively easy to find and offer generous potential payouts, that’s no longer the case. Ransomware gangs have been doing their homework. They gain access to insurance company client lists and hack into networks to study individual policies for the purpose of uncovering maximum policy limits of targeted companies.

An anonymous spokesperson for the REvil ransomware gang was recently asked about targeting insurers in an interview for The Record, and said, “Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”

Any insurer that responds to this onslaught with a blanket policy of not paying ransoms is soon under siege. Cybercriminals unleash coordinated attacks designed to make examples of these carriers and warn off other insurers that may be considering a similar no-pay policy. Inevitably this has impacted the coverage carriers offer. 

Insurers Building Experience

The silver lining here is that the cyber insurance industry has a vested interest in keeping costs, risk and recovery time down. To that end, insurers engage the very best incident responders with a proven track record. For a victim seeking a ransomware recovery specialist, a cybersecurity carrier might be the fastest and easiest route to the top talent. 

As insurers build a knowledge base and deal with the aftermath of more and more ransomware incidents, they are also gaining a deeper understanding of how to guard against such attacks. 

Organizations seeking consultation on what they might do to prevent ransomware infiltrating their networks, how to cope during an attack, and the fastest path to recovery can get solid advice from carriers. But all this experience comes at a price.

See also: 6 Cybersecurity Threats for Insurers

More Stringent Requirements and Fewer Options 

Any organization shopping for cyber insurance will find the market very different than it was just a few years ago. Many carriers are now refusing to insure for ransomware and those that do require solid proof that strong security controls are in place before they will issue any policy. Coverage scope and optional add-ons have been drastically reduced across the board, but particularly in industries with high exposure and susceptibility.

Even with every box ticked, the amounts that insurers are offering now are relatively limited. Premiums in general are higher, but for organizations considered to be high-risk with large limit requirements, policies may be prohibitively expensive. It’s important to remember that even with the climbing costs, cybersecurity insurance will still be cheaper than a breach for most organizations. A third-party assessment and strict requirement for strong controls can also prove invaluable in strengthening your security posture.

No Substitute for Proper Cybersecurity Planning

Ultimately, cybersecurity insurance is a complementary product that can help reduce business risk. It’s crucial to take appropriate steps to guard against ransomware and to fully plan and practice how to deal with an incident. Consider that the most likely way for ransomware to break in is through social engineering. Train your staff to spot phishing attacks and build response plans to investigate and deal with them.

Other smart protective actions include a regular patching procedure to ensure software is kept up to date, a comprehensive asset list that gives you a complete picture of company hardware, and properly protected off-site backups from a variety of points in time. Craft incident response and recovery plans to clearly delineate correct procedures and responsibilities and then test them in a mock attack to ensure you’re ready for the real thing.

If you are operating without coverage or your policy is coming up for renewal soon, make sure you dig into the details and fully assess your options. You may find that the budget you have allocated based on previous policies is no longer suitable. Just remember, the stronger your defenses are, the easier and cheaper it will be to secure a cybersecurity insurance policy that gives you the cover you need.

Aggressive Response to Ransomware

Ransomware attacks are increasing at an alarming rate — Colonial Pipeline, JBS and now McDonald’s, where cybercriminals stole some data. And those are just a few of the growing number of cybersecurity breaches being reported.

According to the Institute of Security and Technology, victims paid $350 million in ransom in 2020, more than four times the amount in 2019. Around 2,400 government organizations, healthcare facilities and schools in the U.S. were reportedly attacked.

The economic impacts from these evolving cybercrimes are massive. Apart from the loss of money paid in ransom, companies and governments have to go through several additional challenges, such as service downtime, loss of private data and recovery cost. 

This surge in ransomware attacks highlights the urgency in dealing with the national security threat before it gets out of control. Businesses should carefully evaluate every potential alternative available before paying the ransom. When hackers succeed in extortions, these kinds of crimes become more attractive. And there is no guarantee that the hackers would give the decryption keys even if a ransom is paid.

The government organizations and the private sector should work hand in hand to deal with cyberattacks and ensure data is recovered without paying a ransom. Companies should keep law enforcement agencies in the loop when tackling a ransomware attack and support the administration in disrupting the hackers’ network. There should be an aggressive, joint strategy and an unbreakable security network to combat these cybersecurity challenges.

Meanwhile, a collaborative global effort involving governments and security agencies is crucial in the fight against cybercrimes. Nations should aggressively investigate and prosecute cybercriminals operating from their land. Governments should use strategies, such as sanctions, to pressure countries refusing to act against cybercriminals.

See also: What’s Next for Ransomware

The increasing number of cybercrimes could also be exposing the security loopholes in the companies’ network with employees working away from the office. Most businesses are operating remotely these days. It is important to note that not all business has the right security system in place, as they were unprepared for a sudden work-from-home migration when coronavirus struck. Organizations should implement security protocols, such as multifactor authentication, endpoint detection and response and data encryption, as well as prepare a plan to deal with these kinds of security threats before it strikes.

Another aspect to note in the recent cyberattacks is that the criminals seem to prefer cryptocurrency, which makes it difficult for law enforcement agencies to track criminals behind transactions. It is high time that the government enforces strict guidelines to ensure that the crypto exchanges follow processes such as Know Your Customer.

What’s Next for Ransomware

Finally, a bit of good news on ransomware: Federal investigators said Monday that they had recovered millions of dollars of the ransom that Colonial Pipeline paid to Russian hackers following their recent attack, which disrupted gasoline supplies up and down the East Coast.

The news may discourage ransomware hackers by showing them that they aren’t as invincible as they think — while they operate from countries that aren’t likely to cooperate with international enforcement and take payment in cryptocurrency, U.S. investigators tracked the Colonial Pipeline ransom to a digital wallet and recovered much of it. The news also underscores FBI Director Christopher Wray’s statement last week that ransomware attacks should be seen as terrorist activity that warrants a heavy response from law enforcement, suggesting that potential corporate targets and their insurers may receive much-needed help.

To understand where ransomware attacks and cyber insurance go from here, I sat down recently with Brian Brown, principal and consulting actuary at Milliman, and Paul Miskovich, consultant who has been working with Milliman on cyber issues. As you’ll see, they offered a modicum of optimism but raised some tricky issues that both insurers and corporate clients will face — and laid out some cyber threats that lie ahead even if ransomware starts to come under control.

Here is the conversation:

ITL:

When we started planning this conversation, there had just been a high-profile ransomware attack, the one that shut down Colonial Pipeline and greatly restricted the availability of gasoline on the East Coast for days. We’ve since had an attack on JBS, which is the world’s largest meat seller and which provides a quarter of the beef and a fifth of the pork consumed in the U.S. Now that awareness is finally rising for this long-festering problem, what happens next?

Paul Miskovich:

For companies and clients, the attacks will drive investment in cyber resiliency.

The guidance from U.S. regulators and law enforcement, which has been very consistent, is that paying ransoms encourages bad actors to accelerate crimes involving ransomware. The Office of Foreign Assets Control and the Financial Crimes Enforcement Network released advisories in October that warned of sanctions for victims who make ransomware payments. So, you’re in a Catch-22 if you’re attacked. If you choose to pay, you may have to pay penalties. If you choose not to pay, you could suffer reputational harm and other financial losses from being shut down. So, the only correct thing to do is to invest more in cyber resiliency.

ITL:

My thesis has been that the insurance companies should play a major advisory role because they are experts or at least more expert than the individual clients, based on all the cases they are seeing. Is that a reasonable thought?

Paul Miskovich:

It is, but there are issues.

Insurance companies are also affected by the OFAC advisory, and they have issues in making payments. They will need to start investing in technology partners to be able to make ransomware payments, which typically are done in cryptocurrencies. Insurers will also have to work more closely with law enforcement, to avoid sanctions and penalties. With respect to clients, insurers are going to have to work much more closely on prevention and resiliency.

And then you end up with other issues. Hackers will use AI and algorithms that accelerate the pace of the attack and could release confidential information, meaning that victims need to pay the ransom fast. So, insurance companies are going to have to figure out assessment and payment methodologies that work a lot faster than they work now.

ITL:

Can intelligence and law-enforcement agencies like the FBI do more to spot attacks potentially coming from overseas and maybe even shut them down?

Paul Miskovich:

Agencies are going to have to increase their scale, because they don’t have the necessary resources to address the growing cyber threat. There’s a whole criminal network behind ransomware that’s exchanging money in the form of cryptocurrencies, so law enforcement has to get to a level of sophistication that it can use blockchain and other technologies to track the flow and disrupt the perpetrators.

ITL:

What are all these threats doing to insurers and to rates?

Brian Brown:

From 2015 to 2020, premium growth for cyber insurance has been in excess of 25% a year, and the current cyber premium is about $2.3 billion a year. It’s possible that’s understated, because carriers may not be reporting all of the cyber premium. Also, this is just premium written by U.S. domestic companies.

We started to see a big tick up in claims in 2019. The 2019-2020 claim activity has been more than double 2017.

Loss ratios were pretty favorable for stand-alone cyber policies from 2015 to 2018, below or close to 50%. But in 2020 the loss ratio was 73%. That’s assuming that the carriers are perfectly reserving the exposure. We’ve looked at some other data for policies just written in 2020, and the indicated loss ratios, early on, may be much higher than 73%.

A lot of big companies have pretty tight security plans; the medium-sized companies not as much. So, there may be much heavier rate activity for the medium-sized companies. But the fundamental issue is, which insurers can determine new more robust variables that predict the likelihood of a cyber loss.

And, if you’re insuring somebody, you want to provide risk management services to reduce their probability of a cyber event, whether that’s providing courses to employees or software to IT departments to measure cyber resilience. You also really need a qualified staff to handle claims.

The predictions are that premiums will continue to grow well in excess of 25% annually for years to come. So, I think we’re on the cutting edge of a great opportunity for a lot of insurance companies, if they’re able to do it right.

ITL:

Do you want to speculate a bit on what the next threat will be, beyond ransomware?

Paul Miskovich:

I see three. The first one, undeniably, is the exploitation of cloud computing vulnerabilities. Next are the cyber security breaches originating from vulnerabilities in ecosystems, where the victim is provided services, especially web applications, through a third-party offsite server. That area of exposure is going to continue to increase. The other one is that the sophistication of exploits is increasing with artificial intelligence and self-learning algorithms. Denial of service attacks are becoming especially dynamic. The algorithms are quicker and more effective. The algorithm chooses one or more methods of attack using behavioral analysis of the network to try to figure out how to get through the defenses.

ITL:

On the theory that we should fight the next war, not the last one (as generals famously are said to do), are there particular things you would recommend that anyone in this ecosystem — the clients, the insurers, the regulators or the investigative agencies — should do to prepare us better for those next threats?

Paul Miskovich:

I feel that Congress should establish federal minimum cyber security standards for private businesses. And law enforcement and regulators should put forth information campaigns educating the public. Together, they will set a common basis of knowledge and preparation and will drive investment in cyber resiliency, while improving private companies’ responsiveness to quickly evolving threats.

As for critical infrastructure — energy, transportation and healthcare — I think they require much, much deeper resiliency planning.

We don’t really know what the next attack will be, but if we all have the same baseline through training and standards, and we’re all sharing information, then our responses can be more effective.

Brian Brown:

We’re seeing a hard market now, but if we were to get one or several large events, in the $100 million to $1 billion range, we’d see an extremely hard market, and quite possibly capacity issues. So, some are looking at alternative capital sources to provide cyber coverage. We’re also seeing some MGAs and insurtechs actually doing the underwriting, which is likely to be a growing trend.

Paul Miskovich:

Many of the later entrants in the cyber market think it’s more efficient to use specifically targeted, talented teams coming out of MGAs.

Brian Brown:

There are some additional benefits from the MGA relationship, because, if you’re not happy with the performance of the portfolio, it’s easier to exit. So, it’s a quicker ramp up and an easier exit.

ITL:

Thanks to you both. This has been a great discussion.

Cheers,

Paul

P.S. Here are the articles I’d like to highlight from the past week:

Behavioral Science and Life Insurance

Carriers must fully grasp human biases and behaviors and harness technologies to improve health.

Ready for the Fully Connected Future?

The key for insurers is to think beyond a single transaction and be “partnership-ready,” which also means becoming “ecosystem-ready.”

The Promise of Predictive Models

Big data and AI will uncover insights that allow smart carriers to acquire the most profitable clients and avoid the worst.

Key to Transformation for Auto Claims

AI is critical to processing and assessing all inputs and removing friction. Yet AI alone cannot deliver transformation.

Auto Insurers Prep for Summer Driving

By taking steps now to update, optimize and digitize processes, insurers will be prepared to help customers through this likely difficult time.

Different Flavors of Transformation

Transformation and improvement are not the same, and insurers should use different approaches to the two types of innovation.

Does Cyber Insurance Add to Ransomware?

An increasing number of articles on the topic would have you believe so, and it is a question we’ve long pondered as one of the larger providers of cyber insurance in North America.  

The Wall Street Journal just published an article, “As Ransomware Proliferates, Insuring for It Becomes Costly and Questioned,” highlighting a surge in the cost of cyber insurance amid mounting claims from ransomware and speculating that insurance payouts may only be encouraging ransomware attacks.

A spokesperson for Tenable stated it plainly: “[T]he insurance company pays the ransom, the criminals make more money, so they make more ransomware, which leads to more insurance, which leads to more payment, and so we get into this vicious cycle.”

Logical. Or is it?

What causes ransomware?

Ransomware is not just a type of malware. It is a criminal business model in which the perpetrator seeks to obtain benefit by taking hostage a victim’s data, infrastructure, economic output, intellectual property or even privacy. It is extortion in its purest form, and it won’t go away for so long as organizations allow assets of value to be taken hostage. Whether an organization purchases insurance or not has no bearing on the value of the underlying assets taken hostage. Nor in the vast, vast majority of cases are organizations targeted because they have an insurance policy – this simply isn’t information that an attacker has prior to an initial compromise.

Organizations are targeted by threat actors because they have made poor technological choices, oftentimes exposed to the public internet, that make them targets. They are targets of opportunity. Phishing, internet-exposed remote network access, and unpatched internet-facing software and devices account for the vast majority of ransomware targeting and initial compromise. Unfortunately, there are more opportunities (i.e. vulnerable targets) than there are criminals to exploit them, and, as a result, most ransomware actors prioritize targets based on their size and financial resources, which is used as a proxy for the value of assets taken hostage and the victim’s ability to pay. We have seen first-hand communication between threat actors in which an organization gets a “pass” because it isn’t large enough.

The role of insurance in paying ransoms

Nearly all cyber insurance policies cover ransomware, including ransom amounts, but also digital forensics and incident response (DFIR) costs to respond to the ransomware event, costs to restore and recover lost assets, as well as resulting business interruption losses (i.e. lost income). From our experience, no one wants to pay a ransom. Certainly not the insurance company and almost never the client. Both have the same amount of hostility as if you’d kidnapped their children and won’t agree to pay a ransom unless it is a last resort. Often, assets can be restored without doing so, and with the insurance policy covering the other costs and lost income – exactly as intended.

However, occasionally assets cannot be restored. No backups and no recourse. Pay the ransom or face existential ruin. This is the unenviable position some organizations find themselves in, and the majority do not have insurance. For those that do, there is coverage if the policyholder elects to pay. Because it is impossible to ever be 100% secure, 100% of the time, insurance is literally the only thing that can provide protection against the possible eventuality of a ransomware attack in which an organization has no other means to recover. Moreover, because insurance policies cover the costs of experienced DFIR vendors, or also provide such services directly, as in our case, insured organizations are able to negotiate ransom demands down (nearly 100% of the time, in our experience) something a victim would have a considerably more difficult time doing on its own.

See also: Cyber Risk Impact of Working From Home

While some insurers are pulling back on coverage, and even eliminating it, and while there is chatter of public policy efforts to render extortion uninsurable or otherwise prevent extortion payments from being made, it would be a tremendous disservice to the organizations affected by these attacks to prevent the insurance industry from continuing to innovate to fight cybercrime. It is impossible to imagine how much worse the world would be without insurance. 

Not only do insurance companies provide a tremendously valuable service, they have a unique ability to encourage – even enforce – the basic cybersecurity hygiene that is so desperately needed. They can also do so at a considerably lower cost than organizations can by themselves.

The role of insurance in fighting cyber crime

There is literally no industry better positioned to fight cybercrime than the insurance industry. Insurers have one thing in common that others (including cybersecurity companies) do not: a direct financial incentive to protect insured clients and prevent financial loss.

To have an impact commensurate with our position, we must act to:

  • Improve underwriting standards across the board. In today’s market, an organization should struggle to get coverage if it has not implemented multi-factor authentication (MFA), disabled remote network access on the internet or implemented any number of other highly effective security controls. The insurance industry can and is serving as one of the single most effective enforcers of cybersecurity hygiene at scale. We’ve written about how we do this in another post, “Underwriting ransomware: Our unique approach and what it means for our customers“.
  • Provide risk engineering services to customers at little to no cost. Many insurance providers, like Coalition, are now continuously collecting data on insureds and following claims and using this information to alert other customers to imminent risks. In our case, we do this automatically and at no additional cost to the policy premium. We did this to dramatic effect following the recently disclosed zero-day vulnerabilities in Microsoft Exchange. As we published in our blog, within 48 hours of the disclosure we identified nearly 1,000 potentially affected policyholders. Today, we have only six vulnerable policyholders (!).
  • Maintain effective ransomware coverage for those that need it most. This will mean balancing public policy objectives while avoiding actions that disenfranchise businesses (particularly small businesses). Moreover, any move to make ransomware “uninsurable” would likely (and ironically) hinder, not foster, innovation in the cyber insurance market. Many, although not all, insurers have made dramatic progress in protecting clients from ransomware. Coalition customers report 1/20th the frequency of ransomware claims vs. the broader market, by our own estimates, because we help each achieve a threshold of cybersecurity hygiene that dramatically lowers the likelihood of a successful ransomware attack.

It is in the collective interest of all that, as an industry, we tackle this problem with innovation rather than merely regulation.

Wake-Up Call on Ransomware

The ransomware attack that shut down the 5,500-mile Colonial Pipeline, the largest fuel pipeline in the U.S., contains two important seeds of opportunity.

First, the federal government looks like it may get much more involved in preventing or at least prosecuting cyber attacks, specifically for important infrastructure like pipelines and electric grids, but perhaps more broadly, too.

Second, the attack raises the profile of the ransomware problem to the point that insurance clients may no longer be able to ignore it — which they mostly have even as ransomware activity quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, according to Aon. This higher profile will create the opportunity for insurers to work with clients to finally step up their defenses.

Let me be clear, lest I come across as Polyannaish: This was a serious assault on a major piece of infrastructure and will likely result in higher gasoline prices, at least in the eastern half of the U.S. The attack also raises the prospect of devastating assaults on other pieces of key infrastructure, both in the U.S. and around the world. In addition, because the ransomware attack was arranged by a criminal ring in Russia, the attack brings into play all sorts of geopolitical issues that go well beyond what happens when some lone criminal hacks his way into a single corporation.

I’m merely suggesting that good things could also come out of the attack by the DarkSide group in Russia, because it underscores two problems that have long been obvious but that have somehow been ignored. The actions spurred by the attack won’t be perfect solutions by any means, but they should help.

The main action looks to be an aggressive response by the federal government, which has struck me as too passive as criminal gangs have greatly stepped up their ransomware attacks. There are limits to what the government can do against international gangs like DarkSide — it’s not as though President Biden can just call Vladimir Putin to complain and have him say, “Oh, sure, I’ll get right on it” — but having the Feds in the game should help a lot.

The other main action — the big opportunity for insurers — will occur because companies will increasingly see their vulnerability (finally!) and request help from the experts: the insurance companies that deal with cyber issues every day.

Thought leaders have been warning about ransomware for ages here at ITL — look at “5 Questions That Thwart Ransomware,” “A Dangerous New Form of Ransomware” and “Ransomware Becomes More Pernicious.”

Look, in particular, at this recent article: “How to Combat the Surge in Ransomware,” from Tokio Marine HCC’s Cyber and Professional Lines Group. It describes what I think is the ideal approach for insurers assisting their clients, not just by selling insurance but by helping them reduce their risks — steering clients toward state-of-the-art tools (priced based on the insurer’s bulk discount) that monitor vulnerabilities, toward using multi-factor authentication, toward training, etc.

As long as the bad guys have shown they can work together and take down big targets like the Colonial Pipeline, the good guys need to work together, too. That surely means more help from the federal government on what is a national and, increasingly, international problem but also means insurers need to step up and deliver the sort of expertise and counsel that they possess uniquely and that define the industry’s noble purpose.

Cheers,

Paul

P.S. Here are the six articles I’d like to highlight from the past week:

Workers Comp Trends for Technology in 2021

An efficient workflow passes 60% to 70% of medical bills straight through; workers’ comp has a long way to go.

Are Your Healthcare Vendor’s Claims Valid?

This article, the first in a series, looks at how regression to the mean is often misused to justify false claims about the success of wellness programs.

4 Ways to Seize the Latent Demand

Consumers recognize now more than ever the importance of adequate insurance coverage. Now is the time to seize on this opportunity.

Time to Reimagine the Finance Function

What’s possible for finance has been redefined: Comprehensive data makes it easier to connect performance across the business.

Tapping Into Life, Health Innovation

Those who welcome outsider participation in innovation can unlock new solutions without needing to reinvent their current businesses.

Insurance and Financial Protection

If the life insurance crisis is hard to understand, we must make it easy to comprehend. The insurance industry must lead us through this crisis.